Page MenuHomePhabricator

Document recommended process for installing vendor provided package upgrades in Wikimedia VPS
Open, MediumPublic

Description

VMs don't get anything beyond major security updates by default. Many project owners would like to have their VMs get regular updates. How should that happen?

This task is done when recommended practices are recorded somewhere on wikitech

Questions:

  • Is a cron process that runs nightly apt-get update && apt-get upgrade -y a good idea?
  • Should there be a puppet role for this?
  • Should VMs install updates by default (opt-out) or should regular updates be opt-in?

Event Timeline

I'd like to see a puppet class that is enabled by default that sets up a cron job to run apt-get updates.

It seems to me this should be enabled by default so dummies like me don't forget to enable it. ;)

Looks like the cron strategy is recommended practice. https://help.ubuntu.com/community/AutomaticSecurityUpdates

The unattended-upgrades apt-get package provides some functionality for specifying what types of packages will be upgraded and which ones won't.

Labs used to have unattended-upgrades install fleet-wide, not sure what happened with that. It may be that it was disabled because they can cause issues where packages you care about install and restart the underlying service (I'm just guessing). However, not that they're not protecting you necessarily: in many cases you have to restart individual services and in some cases /all/ services or reboot, in the cases of e.g. a libc6 or kernel vulnerability. And then there's all the other stuff that people may run on their VM (pip/npm/etc.)

bd808 renamed this task from Document recommended process for installing OS upgrades in Wikimedia VPS to Document recommended process for installing vendor provided package upgrades in Wikimedia VPS.Jul 10 2018, 8:31 PM
bd808 triaged this task as Medium priority.